Palo Alto PANOS 6.1.2: No more SSLv3/POODLE

Another fixed issue in the just released PANOS version 6.1.2 from Palo Alto Networks is bug ID 71321: “Removed support for SSL 3.0 from the GlobalProtect gateway, GlobalProtect portal, and Captive Portal due to CVE-2014-3566 (POODLE).” I scanned my lab unit before (6.1.1) and after the OS upgrade (6.1.2) and here are the results.

Once more I am using the Qualys SSL Server Test to test the TLS status of my services, in this case the Palo Alto GlobalProtect login page. Here are the two results before and after the update to version 6.1.2. Since the previous version was vulnerable to the “Padding Oracle On Downgraded Legacy Encryption” attack, the overall rating was degraded to F.

SSL Server Test GlobalProtect Portal with 6.1.1.

SSL Server Test GlobalProtect Portal with 6.1.2.

Though it is nice that the TLS connections to the Palo Alto are not vulnerable to these types of attacks anymore, I would prefer to choose the protocols and ciphers that are used on the server, and not only to rely on the default Palo Alto settings. E.g., there is no single cipher available that supports Perfect Forward Secrecy. Oh oh.